ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] NEW ISSUE: SSP-02: Policy Scope

2008-02-14 12:19:35
from [Douglas Otis] [Permanent Link] 

On Feb 14, 2008, at 3:26 AM, Charles Lindsey wrote:
On Wed, 13 Feb 2008 22:46:10 -0000, Douglas Otis <dotis(_at_)mail- abuse.org> wrote:
Agreed. DKIM can be employed in conjunction with _many_ transport protocols. While a domain may assert they sign "all" their SMTP traffic, they may not be signing other types of traffic that could potentially use DKIM signature headers. How would a domain indicate what protocol they cover by their assertion? It seems logical to restrict the _SSP policy to that of SMTP. Other protocols can define where the relevant policy can be found, or they could add a protocol policy scope to the record.
If you want to indicate that information, then propose a new tag within the SSP record for the purpose. But the default should be that the SSP applies to all modes of transport. Otherwise the Bad Guys will just send mail like the following: 

Received: by bar.com from foo.com by SMTP ...
Received: by foo.com from ebay.com by UUCP ...
From: security(_at_)ebay(_dot_)com
[NO DKIM signature]
Agreed. This issue does not appear to have been entered into the RT tracking, but both you and Jim have suggested this alternative solution. Here is a more formalized suggestion for a tag added to the policy record. 

s= Policy Scope (plain-text; OPTIONAL; default is "SMTP").  A colon-
   separated list of policy scopes specify which protocols to which
   this record applies.  Verifiers for a given service type MUST
   ignore this record if the appropriate type is not listed.
   Currently defined service types  are as follows:

       *   matches all service types
       !  disavows protocol use

       SMTP     RFC2821
       NNTP     RFC3977
       MSRP     RFC4975

   This tag is intended to constrain the use of policy for various
   transport protocols that may implement, should DKIM be defined by
   other protocols in the future. This tag can also disavow use
   of specific protocols to repudiate references to this domain.

ABNF:
policy-s-tag = %x73 [FWS] "=" [FWS] [proto-disavow] policy-s-tag- type 
                       0*( [FWS] ":" [FWS] policy-s-tag-type )
   proto-disavow = "!"
policy-s-tag-type = "SMTP" / "NNTP" / "MSRP" / "*" / x-policy-s- tag-type 
   x-policy-s-tag-type = hyphenated-word   ; for future extension



_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] NEW ISSUE: Security Threat: Unexpected ThirdPartySenders, Hector Santos
Next by Date:  Re: [ietf-dkim] NEW ISSUE: Security Threat: Unexpected ThirdPartySenders, Michael Thomas
Previous by Thread:  Re: [ietf-dkim] NEW ISSUE: SSP-02: Policy Scope, Charles Lindsey
Next by Thread:  Re: [ietf-dkim] NEW ISSUE: SSP-02: Policy Scope, Charles Lindsey
Indexes:  [Date] [Thread] [Top] [All Lists]